@attest-it/core 0.0.0 → 0.2.0

package/dist/core-public.d.ts

@@ -1,11 +1,5 @@
 import { z } from 'zod';
 
-/**
- * Supported signature algorithms.
- * @public
- */
-export declare type Algorithm = 'ed25519' | 'rsa';
-
 /**
  * A single attestation entry.
  * @public
@@ -49,6 +43,8 @@ export declare interface AttestItConfig {
     settings: AttestItSettings;
     /** Named test suites with their configurations */
     suites: Record<string, SuiteConfig>;
+    /** Named groups of suites */
+    groups?: Record<string, string[]>;
 }
 
 /**
@@ -64,8 +60,6 @@ export declare interface AttestItSettings {
     attestationsPath: string;
     /** Default command to execute for attestation (can be overridden per suite) */
     defaultCommand?: string;
-    /** Cryptographic algorithm to use for signatures */
-    algorithm: 'ed25519' | 'rsa';
 }
 
 /**
@@ -142,27 +136,26 @@ export declare class ConfigNotFoundError extends Error {
  * Zod schema for the full configuration file.
  */
 declare const configSchema: z.ZodObject<{
+    groups: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodArray<z.ZodString, "many">>>;
     settings: z.ZodDefault<z.ZodObject<{
-        algorithm: z.ZodDefault<z.ZodEnum<["ed25519", "rsa"]>>;
         attestationsPath: z.ZodDefault<z.ZodString>;
         defaultCommand: z.ZodOptional<z.ZodString>;
         maxAgeDays: z.ZodDefault<z.ZodNumber>;
         publicKeyPath: z.ZodDefault<z.ZodString>;
-    }, "strict", z.ZodTypeAny, {
-        algorithm: "ed25519" | "rsa";
-        attestationsPath: string;
-        defaultCommand?: string | undefined;
-        maxAgeDays: number;
-        publicKeyPath: string;
-    }, {
-        algorithm?: "ed25519" | "rsa" | undefined;
-        attestationsPath?: string | undefined;
-        defaultCommand?: string | undefined;
-        maxAgeDays?: number | undefined;
-        publicKeyPath?: string | undefined;
-    }>>;
+    }, "passthrough", z.ZodTypeAny, z.objectOutputType<{
+        attestationsPath: z.ZodDefault<z.ZodString>;
+        defaultCommand: z.ZodOptional<z.ZodString>;
+        maxAgeDays: z.ZodDefault<z.ZodNumber>;
+        publicKeyPath: z.ZodDefault<z.ZodString>;
+    }, z.ZodTypeAny, "passthrough">, z.objectInputType<{
+        attestationsPath: z.ZodDefault<z.ZodString>;
+        defaultCommand: z.ZodOptional<z.ZodString>;
+        maxAgeDays: z.ZodDefault<z.ZodNumber>;
+        publicKeyPath: z.ZodDefault<z.ZodString>;
+    }, z.ZodTypeAny, "passthrough">>>;
     suites: z.ZodEffects<z.ZodRecord<z.ZodString, z.ZodObject<{
         command: z.ZodOptional<z.ZodString>;
+        depends_on: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
         description: z.ZodOptional<z.ZodString>;
         files: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
         ignore: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
@@ -170,6 +163,7 @@ declare const configSchema: z.ZodObject<{
         packages: z.ZodArray<z.ZodString, "many">;
     }, "strict", z.ZodTypeAny, {
         command?: string | undefined;
+        depends_on?: string[] | undefined;
         description?: string | undefined;
         files?: string[] | undefined;
         ignore?: string[] | undefined;
@@ -177,6 +171,7 @@ declare const configSchema: z.ZodObject<{
         packages: string[];
     }, {
         command?: string | undefined;
+        depends_on?: string[] | undefined;
         description?: string | undefined;
         files?: string[] | undefined;
         ignore?: string[] | undefined;
@@ -184,6 +179,7 @@ declare const configSchema: z.ZodObject<{
         packages: string[];
     }>>, Record<string, {
         command?: string | undefined;
+        depends_on?: string[] | undefined;
         description?: string | undefined;
         files?: string[] | undefined;
         ignore?: string[] | undefined;
@@ -191,6 +187,7 @@ declare const configSchema: z.ZodObject<{
         packages: string[];
     }>, Record<string, {
         command?: string | undefined;
+        depends_on?: string[] | undefined;
         description?: string | undefined;
         files?: string[] | undefined;
         ignore?: string[] | undefined;
@@ -199,15 +196,16 @@ declare const configSchema: z.ZodObject<{
     }>>;
     version: z.ZodLiteral<1>;
 }, "strict", z.ZodTypeAny, {
+    groups?: Record<string, string[]> | undefined;
     settings: {
-        algorithm: "ed25519" | "rsa";
         attestationsPath: string;
         defaultCommand?: string | undefined;
         maxAgeDays: number;
         publicKeyPath: string;
-    };
+    } & { [k: string]: unknown };
     suites: Record<string, {
         command?: string | undefined;
+        depends_on?: string[] | undefined;
         description?: string | undefined;
         files?: string[] | undefined;
         ignore?: string[] | undefined;
@@ -216,15 +214,16 @@ declare const configSchema: z.ZodObject<{
     }>;
     version: 1;
 }, {
-    settings?: {
-        algorithm?: "ed25519" | "rsa" | undefined;
-        attestationsPath?: string | undefined;
-        defaultCommand?: string | undefined;
-        maxAgeDays?: number | undefined;
-        publicKeyPath?: string | undefined;
-    } | undefined;
+    groups?: Record<string, string[]> | undefined;
+    settings?: undefined | z.objectInputType<{
+        attestationsPath: z.ZodDefault<z.ZodString>;
+        defaultCommand: z.ZodOptional<z.ZodString>;
+        maxAgeDays: z.ZodDefault<z.ZodNumber>;
+        publicKeyPath: z.ZodDefault<z.ZodString>;
+    }, z.ZodTypeAny, "passthrough">;
     suites: Record<string, {
         command?: string | undefined;
+        depends_on?: string[] | undefined;
         description?: string | undefined;
         files?: string[] | undefined;
         ignore?: string[] | undefined;
@@ -326,7 +325,11 @@ export declare interface FingerprintResult {
 }
 
 /**
- * Generate a new keypair using OpenSSL.
+ * Generate a new RSA-2048 keypair using OpenSSL.
+ *
+ * RSA-2048 with SHA-256 is used because it's universally supported across
+ * all OpenSSL and LibreSSL versions, including older macOS systems.
+ *
  * @param options - Generation options
  * @returns Paths to generated keys
  * @throws Error if OpenSSL fails or keys exist without force
@@ -353,8 +356,6 @@ export declare function getDefaultPublicKeyPath(): string;
  * @public
  */
 export declare interface KeygenOptions {
-    /** Algorithm to use (default: ed25519) */
-    algorithm?: Algorithm;
     /** Path for private key (default: OS-specific config dir) */
     privatePath?: string;
     /** Path for public key (default: repo root) */
@@ -490,7 +491,11 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
           export declare function setKeyPermissions(keyPath: string): Promise<void>;
 
           /**
-           * Sign data using a private key.
+           * Sign data using an RSA private key with SHA-256.
+           *
+           * Uses `openssl dgst -sha256 -sign` which is universally supported across
+           * all OpenSSL and LibreSSL versions.
+           *
            * @param options - Signing options
            * @returns Base64-encoded signature
            * @throws Error if signing fails
@@ -538,6 +543,8 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
               command?: string;
               /** Other suite names that, when changed, invalidate this suite's attestation */
               invalidates?: string[];
+              /** Array of suite names this suite depends on */
+              depends_on?: string[];
           }
 
           /**
@@ -596,7 +603,11 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
           export declare type VerificationStatus = 'EXPIRED' | 'FINGERPRINT_CHANGED' | 'INVALIDATED_BY_PARENT' | 'NEEDS_ATTESTATION' | 'SIGNATURE_INVALID' | 'VALID';
 
           /**
-           * Verify a signature using a public key.
+           * Verify a signature using an RSA public key with SHA-256.
+           *
+           * Uses `openssl dgst -sha256 -verify` which is universally supported across
+           * all OpenSSL and LibreSSL versions.
+           *
            * @param options - Verification options
            * @returns true if signature is valid
            * @throws Error if verification fails (not just invalid signature)

package/dist/core-unstripped.d.ts

@@ -1,11 +1,5 @@
 import { z } from 'zod';
 
-/**
- * Supported signature algorithms.
- * @public
- */
-export declare type Algorithm = 'ed25519' | 'rsa';
-
 /**
  * A single attestation entry.
  * @public
@@ -49,6 +43,8 @@ export declare interface AttestItConfig {
     settings: AttestItSettings;
     /** Named test suites with their configurations */
     suites: Record<string, SuiteConfig>;
+    /** Named groups of suites */
+    groups?: Record<string, string[]>;
 }
 
 /**
@@ -64,8 +60,6 @@ export declare interface AttestItSettings {
     attestationsPath: string;
     /** Default command to execute for attestation (can be overridden per suite) */
     defaultCommand?: string;
-    /** Cryptographic algorithm to use for signatures */
-    algorithm: 'ed25519' | 'rsa';
 }
 
 /**
@@ -142,27 +136,26 @@ export declare class ConfigNotFoundError extends Error {
  * Zod schema for the full configuration file.
  */
 declare const configSchema: z.ZodObject<{
+    groups: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodArray<z.ZodString, "many">>>;
     settings: z.ZodDefault<z.ZodObject<{
-        algorithm: z.ZodDefault<z.ZodEnum<["ed25519", "rsa"]>>;
         attestationsPath: z.ZodDefault<z.ZodString>;
         defaultCommand: z.ZodOptional<z.ZodString>;
         maxAgeDays: z.ZodDefault<z.ZodNumber>;
         publicKeyPath: z.ZodDefault<z.ZodString>;
-    }, "strict", z.ZodTypeAny, {
-        algorithm: "ed25519" | "rsa";
-        attestationsPath: string;
-        defaultCommand?: string | undefined;
-        maxAgeDays: number;
-        publicKeyPath: string;
-    }, {
-        algorithm?: "ed25519" | "rsa" | undefined;
-        attestationsPath?: string | undefined;
-        defaultCommand?: string | undefined;
-        maxAgeDays?: number | undefined;
-        publicKeyPath?: string | undefined;
-    }>>;
+    }, "passthrough", z.ZodTypeAny, z.objectOutputType<{
+        attestationsPath: z.ZodDefault<z.ZodString>;
+        defaultCommand: z.ZodOptional<z.ZodString>;
+        maxAgeDays: z.ZodDefault<z.ZodNumber>;
+        publicKeyPath: z.ZodDefault<z.ZodString>;
+    }, z.ZodTypeAny, "passthrough">, z.objectInputType<{
+        attestationsPath: z.ZodDefault<z.ZodString>;
+        defaultCommand: z.ZodOptional<z.ZodString>;
+        maxAgeDays: z.ZodDefault<z.ZodNumber>;
+        publicKeyPath: z.ZodDefault<z.ZodString>;
+    }, z.ZodTypeAny, "passthrough">>>;
     suites: z.ZodEffects<z.ZodRecord<z.ZodString, z.ZodObject<{
         command: z.ZodOptional<z.ZodString>;
+        depends_on: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
         description: z.ZodOptional<z.ZodString>;
         files: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
         ignore: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
@@ -170,6 +163,7 @@ declare const configSchema: z.ZodObject<{
         packages: z.ZodArray<z.ZodString, "many">;
     }, "strict", z.ZodTypeAny, {
         command?: string | undefined;
+        depends_on?: string[] | undefined;
         description?: string | undefined;
         files?: string[] | undefined;
         ignore?: string[] | undefined;
@@ -177,6 +171,7 @@ declare const configSchema: z.ZodObject<{
         packages: string[];
     }, {
         command?: string | undefined;
+        depends_on?: string[] | undefined;
         description?: string | undefined;
         files?: string[] | undefined;
         ignore?: string[] | undefined;
@@ -184,6 +179,7 @@ declare const configSchema: z.ZodObject<{
         packages: string[];
     }>>, Record<string, {
         command?: string | undefined;
+        depends_on?: string[] | undefined;
         description?: string | undefined;
         files?: string[] | undefined;
         ignore?: string[] | undefined;
@@ -191,6 +187,7 @@ declare const configSchema: z.ZodObject<{
         packages: string[];
     }>, Record<string, {
         command?: string | undefined;
+        depends_on?: string[] | undefined;
         description?: string | undefined;
         files?: string[] | undefined;
         ignore?: string[] | undefined;
@@ -199,15 +196,16 @@ declare const configSchema: z.ZodObject<{
     }>>;
     version: z.ZodLiteral<1>;
 }, "strict", z.ZodTypeAny, {
+    groups?: Record<string, string[]> | undefined;
     settings: {
-        algorithm: "ed25519" | "rsa";
         attestationsPath: string;
         defaultCommand?: string | undefined;
         maxAgeDays: number;
         publicKeyPath: string;
-    };
+    } & { [k: string]: unknown };
     suites: Record<string, {
         command?: string | undefined;
+        depends_on?: string[] | undefined;
         description?: string | undefined;
         files?: string[] | undefined;
         ignore?: string[] | undefined;
@@ -216,15 +214,16 @@ declare const configSchema: z.ZodObject<{
     }>;
     version: 1;
 }, {
-    settings?: {
-        algorithm?: "ed25519" | "rsa" | undefined;
-        attestationsPath?: string | undefined;
-        defaultCommand?: string | undefined;
-        maxAgeDays?: number | undefined;
-        publicKeyPath?: string | undefined;
-    } | undefined;
+    groups?: Record<string, string[]> | undefined;
+    settings?: undefined | z.objectInputType<{
+        attestationsPath: z.ZodDefault<z.ZodString>;
+        defaultCommand: z.ZodOptional<z.ZodString>;
+        maxAgeDays: z.ZodDefault<z.ZodNumber>;
+        publicKeyPath: z.ZodDefault<z.ZodString>;
+    }, z.ZodTypeAny, "passthrough">;
     suites: Record<string, {
         command?: string | undefined;
+        depends_on?: string[] | undefined;
         description?: string | undefined;
         files?: string[] | undefined;
         ignore?: string[] | undefined;
@@ -326,7 +325,11 @@ export declare interface FingerprintResult {
 }
 
 /**
- * Generate a new keypair using OpenSSL.
+ * Generate a new RSA-2048 keypair using OpenSSL.
+ *
+ * RSA-2048 with SHA-256 is used because it's universally supported across
+ * all OpenSSL and LibreSSL versions, including older macOS systems.
+ *
  * @param options - Generation options
  * @returns Paths to generated keys
  * @throws Error if OpenSSL fails or keys exist without force
@@ -353,8 +356,6 @@ export declare function getDefaultPublicKeyPath(): string;
  * @public
  */
 export declare interface KeygenOptions {
-    /** Algorithm to use (default: ed25519) */
-    algorithm?: Algorithm;
     /** Path for private key (default: OS-specific config dir) */
     privatePath?: string;
     /** Path for public key (default: repo root) */
@@ -490,7 +491,11 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
           export declare function setKeyPermissions(keyPath: string): Promise<void>;
 
           /**
-           * Sign data using a private key.
+           * Sign data using an RSA private key with SHA-256.
+           *
+           * Uses `openssl dgst -sha256 -sign` which is universally supported across
+           * all OpenSSL and LibreSSL versions.
+           *
            * @param options - Signing options
            * @returns Base64-encoded signature
            * @throws Error if signing fails
@@ -538,6 +543,8 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
               command?: string;
               /** Other suite names that, when changed, invalidate this suite's attestation */
               invalidates?: string[];
+              /** Array of suite names this suite depends on */
+              depends_on?: string[];
           }
 
           /**
@@ -596,7 +603,11 @@ export declare function listPackageFiles(packages: string[], ignore?: string[],
           export declare type VerificationStatus = 'EXPIRED' | 'FINGERPRINT_CHANGED' | 'INVALIDATED_BY_PARENT' | 'NEEDS_ATTESTATION' | 'SIGNATURE_INVALID' | 'VALID';
 
           /**
-           * Verify a signature using a public key.
+           * Verify a signature using an RSA public key with SHA-256.
+           *
+           * Uses `openssl dgst -sha256 -verify` which is universally supported across
+           * all OpenSSL and LibreSSL versions.
+           *
            * @param options - Verification options
            * @returns true if signature is valid
            * @throws Error if verification fails (not just invalid signature)

package/dist/{crypto-ITLMIMRJ.js → crypto-VAXWUGKL.js}

@@ -1,3 +1,3 @@
-export { checkOpenSSL, generateKeyPair, getDefaultPrivateKeyPath, getDefaultPublicKeyPath, setKeyPermissions, sign, verify } from './chunk-UWYR7JNE.js';
-//# sourceMappingURL=crypto-ITLMIMRJ.js.map
-//# sourceMappingURL=crypto-ITLMIMRJ.js.map
+export { checkOpenSSL, generateKeyPair, getDefaultPrivateKeyPath, getDefaultPublicKeyPath, setKeyPermissions, sign, verify } from './chunk-CEE7ONNG.js';
+//# sourceMappingURL=crypto-VAXWUGKL.js.map
+//# sourceMappingURL=crypto-VAXWUGKL.js.map

package/dist/{crypto-ITLMIMRJ.js.map → crypto-VAXWUGKL.js.map}

@@ -1 +1 @@
-{"version":3,"sources":[],"names":[],"mappings":"","file":"crypto-ITLMIMRJ.js"}
+{"version":3,"sources":[],"names":[],"mappings":"","file":"crypto-VAXWUGKL.js"}

package/dist/index.cjs

@@ -142,7 +142,6 @@ async function cleanupFiles(...paths) {
 async function generateKeyPair(options = {}) {
   await ensureOpenSSLAvailable();
   const {
-    algorithm = "ed25519",
     privatePath = getDefaultPrivateKeyPath(),
     publicPath = getDefaultPublicKeyPath(),
     force = false
@@ -160,7 +159,15 @@ async function generateKeyPair(options = {}) {
   await ensureDir(path2__namespace.dirname(privatePath));
   await ensureDir(path2__namespace.dirname(publicPath));
   try {
-    const genArgs = algorithm === "ed25519" ? ["genpkey", "-algorithm", "Ed25519", "-out", privatePath] : ["genpkey", "-algorithm", "RSA", "-pkeyopt", "rsa_keygen_bits:2048", "-out", privatePath];
+    const genArgs = [
+      "genpkey",
+      "-algorithm",
+      "RSA",
+      "-pkeyopt",
+      "rsa_keygen_bits:2048",
+      "-out",
+      privatePath
+    ];
     const genResult = await runOpenSSL(genArgs);
     if (genResult.exitCode !== 0) {
       throw new Error(`Failed to generate private key: ${genResult.stderr}`);
@@ -192,16 +199,8 @@ async function sign(options) {
   const sigFile = path2__namespace.join(tmpDir, "sig.bin");
   try {
     await fs2__namespace.writeFile(dataFile, processBuffer);
-    const result = await runOpenSSL([
-      "pkeyutl",
-      "-sign",
-      "-inkey",
-      privateKeyPath,
-      "-in",
-      dataFile,
-      "-out",
-      sigFile
-    ]);
+    const signArgs = ["dgst", "-sha256", "-sign", privateKeyPath, "-out", sigFile, dataFile];
+    const result = await runOpenSSL(signArgs);
     if (result.exitCode !== 0) {
       throw new Error(`Failed to sign data: ${result.stderr}`);
     }
@@ -229,21 +228,17 @@ async function verify(options) {
   try {
     await fs2__namespace.writeFile(dataFile, processBuffer);
     await fs2__namespace.writeFile(sigFile, sigBuffer);
-    const result = await runOpenSSL([
-      "pkeyutl",
+    const verifyArgs = [
+      "dgst",
+      "-sha256",
       "-verify",
-      "-pubin",
-      "-inkey",
       publicKeyPath,
-      "-sigfile",
+      "-signature",
       sigFile,
-      "-in",
       dataFile
-    ]);
-    if (result.exitCode !== 0 && result.exitCode !== 1) {
-      throw new Error(`Verification error: ${result.stderr}`);
-    }
-    return result.exitCode === 0;
+    ];
+    const result = await runOpenSSL(verifyArgs);
+    return result.exitCode === 0 && result.stdout.toString().includes("Verified OK");
   } finally {
     try {
       await fs2__namespace.rm(tmpDir, { recursive: true, force: true });
@@ -268,23 +263,25 @@ var settingsSchema = zod.z.object({
   maxAgeDays: zod.z.number().int().positive().default(30),
   publicKeyPath: zod.z.string().default(".attest-it/pubkey.pem"),
   attestationsPath: zod.z.string().default(".attest-it/attestations.json"),
-  defaultCommand: zod.z.string().optional(),
-  algorithm: zod.z.enum(["ed25519", "rsa"]).default("ed25519")
-}).strict();
+  defaultCommand: zod.z.string().optional()
+  // Note: algorithm field was removed - RSA is the only supported algorithm
+}).passthrough();
 var suiteSchema = zod.z.object({
   description: zod.z.string().optional(),
   packages: zod.z.array(zod.z.string().min(1, "Package path cannot be empty")).min(1, "At least one package pattern is required"),
   files: zod.z.array(zod.z.string().min(1, "File path cannot be empty")).optional(),
   ignore: zod.z.array(zod.z.string().min(1, "Ignore pattern cannot be empty")).optional(),
   command: zod.z.string().optional(),
-  invalidates: zod.z.array(zod.z.string().min(1, "Invalidated suite name cannot be empty")).optional()
+  invalidates: zod.z.array(zod.z.string().min(1, "Invalidated suite name cannot be empty")).optional(),
+  depends_on: zod.z.array(zod.z.string().min(1, "Dependency suite name cannot be empty")).optional()
 }).strict();
 var configSchema = zod.z.object({
   version: zod.z.literal(1),
   settings: settingsSchema.default({}),
   suites: zod.z.record(zod.z.string(), suiteSchema).refine((suites) => Object.keys(suites).length >= 1, {
     message: "At least one suite must be defined"
-  })
+  }),
+  groups: zod.z.record(zod.z.string(), zod.z.array(zod.z.string().min(1, "Suite name in group cannot be empty"))).optional()
 }).strict();
 var ConfigValidationError = class extends Error {
   constructor(message, issues) {
@@ -403,7 +400,6 @@ function toAttestItConfig(config) {
       maxAgeDays: config.settings.maxAgeDays,
       publicKeyPath: config.settings.publicKeyPath,
       attestationsPath: config.settings.attestationsPath,
-      algorithm: config.settings.algorithm,
       ...config.settings.defaultCommand !== void 0 && {
         defaultCommand: config.settings.defaultCommand
       }
@@ -417,10 +413,12 @@ function toAttestItConfig(config) {
           ...suite.files !== void 0 && { files: suite.files },
           ...suite.ignore !== void 0 && { ignore: suite.ignore },
           ...suite.command !== void 0 && { command: suite.command },
-          ...suite.invalidates !== void 0 && { invalidates: suite.invalidates }
+          ...suite.invalidates !== void 0 && { invalidates: suite.invalidates },
+          ...suite.depends_on !== void 0 && { depends_on: suite.depends_on }
         }
       ])
-    )
+    ),
+    ...config.groups !== void 0 && { groups: config.groups }
   };
 }
 var LARGE_FILE_THRESHOLD = 50 * 1024 * 1024;